[lxc-devel] [lxc/lxc] 301a5f: apparmor: clean up apparmor_process_label_get

Christian Brauner noreply at github.com
Fri Feb 19 12:15:52 UTC 2021


  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 301a5f8e786c61fb3dcc107a9ae18ae507857895
      https://github.com/lxc/lxc/commit/301a5f8e786c61fb3dcc107a9ae18ae507857895
  Author: Aleksa Sarai <cyphar at cyphar.com>
  Date:   2021-02-19 (Fri, 19 Feb 2021)

  Changed paths:
    M src/lxc/lsm/apparmor.c

  Log Message:
  -----------
  apparmor: clean up apparmor_process_label_get

Rather than open-coding file reading and retry semantics and
implementing the path generation logic separately to
apparmor_process_label_fd_get, refactor the logic so that it looks
closer to the pidfd version.

This will make it easier to implement the two-step handling for
/proc/self/attr/apparmor/current and makes this code slightly less
confusing.

Signed-off-by: Aleksa Sarai <cyphar at cyphar.com>


  Commit: 47f4914d88dfb8d8b2207c955c37af347032444d
      https://github.com/lxc/lxc/commit/47f4914d88dfb8d8b2207c955c37af347032444d
  Author: Aleksa Sarai <cyphar at cyphar.com>
  Date:   2021-02-19 (Fri, 19 Feb 2021)

  Changed paths:
    M src/lxc/lsm/apparmor.c
    M src/lxc/macro.h

  Log Message:
  -----------
  apparmor: prefer /proc/.../attr/apparmor/current over legacy interface

It turns out that since Linux 5.1 there are now per-LSM subdirectories
for major LSMs, which users are recommended to use over the "legacy"
top-level /proc/$pid/attr/... files[1]:

> Process attributes associated with “major” security modules should be
> accessed and maintained using the special files in /proc/.../attr. A
> security module may maintain a module specific subdirectory there,
> named after the module. /proc/.../attr/smack is provided by the Smack
> security module and contains all its special files. The files directly
> in /proc/.../attr remain as legacy interfaces for modules that provide
> subdirectories.

AppArmor has had such a directory since Linux 5.8[2], and it turns out
that with certain CONFIG_LSM configurations you can end up with AppArmor
files not being accessible from the legacy interface. Arch Linux
recently added BPF as one of the enabled LSM in their configuration, and
this broke runc[3] and LXC.

The solution is to first try to use /proc/$pid/attr/apparmor/current and
fall back to /proc/$pid/attr/current if the former is not available.

[1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html
[2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs")
[3]: https://github.com/opencontainers/runc/issues/2801

Signed-off-by: Aleksa Sarai <cyphar at cyphar.com>


  Commit: f43ed6a0ab5a2b3658cebf6f4360a0fb76aeec52
      https://github.com/lxc/lxc/commit/f43ed6a0ab5a2b3658cebf6f4360a0fb76aeec52
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2021-02-19 (Fri, 19 Feb 2021)

  Changed paths:
    M src/lxc/lsm/apparmor.c
    M src/lxc/macro.h

  Log Message:
  -----------
  Merge pull request #3686 from cyphar/apparmor-attr-subdir

apparmor: prefer /proc/.../attr/apparmor/current over legacy interface


Compare: https://github.com/lxc/lxc/compare/35a68d6df2c2...f43ed6a0ab5a


More information about the lxc-devel mailing list